Fortinet black logo

Administration Guide

Home FortiNDR 7.1.0 Administration Guide
7.1.0
7.4.3
7.4.2
7.4.1
7.4.0
7.2.3
7.2.2
7.2.1
7.2.0
7.1.0
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0

NDR logs samples

NDR logs samples

Botnet

date="2022-02-09" time="16:43:13" tz="PST" logid="0602000001" devid="FAIVMSTM21000033" type="ndr" subtype="Botnet" severity="high" sessionid=63313 alproto="DNS" tlproto="UDP" srcip="18.1.2.2" srcport=10000 dstip="18.1.1.100" dstport=53 behavior="CONN" botname="botnet Andromeda" hostname="orrisbirth.com"

date="2022-02-09" time="16:43:13" tz="PST" logid="0602000001" devid="FAIVMSTM21000033" type="ndr" subtype="Botnet" severity="high" sessionid=63313 alproto="DNS" tlproto="UDP" srcip="18.1.2.2" srcport=10000 dstip="18.1.1.100" dstport=53 behavior="RESP" botname="botnet Other"  hostname="cdn12-web-security.com"
Fields

behavior

User activity. For example, CONN, RESP, VISIT, GET etc.

botname

The name for this botnet

hostname

Hostname

Encrypted

date="2022-02-11" time="10:19:03" tz="PST" logid="0603000001" devid="FAI35FT321000001" type="ndr" subtype="Encrypted" severity="critical" sessionid=11554817 alproto="TLS" tlproto="TCP" srcip="172.19.236.140" srcport=5326 dstip="173.245.59.98" dstport=443 behavior="CONN" vers="7" cipher="TLS_AES_256_GCM_SHA384" md5="f436b9416f37d134cadd04886327d3e8"
Fields

behavior

User activity, e.g. CONN, RESP, VISIT, GET etc.

vers

The version of alproto, str

cipher

The encryption algorithm.

md5

md5/hash of ja3 fingerprint

IOC

date="2022-02-14" time="07:36:13" tz="PST" logid="0605000001" devid="FAI35FT321000001" type="ndr" subtype="IOC" severity="critical" sessionid=19906026 alproto="HTTP" tlproto="TCP" srcip="172.19.235.198" srcport=49304 dstip="178.63.120.205" dstport=443 behavior="CONN" vers="7" cipher="TLS_AES_128_GCM_SHA256" md5="52bea59cf17d9fd5dedd2835fd8e1afe" campaign="CoinMiner" hostname="s3.amazonaws.com" url="/"
Fields

behavior

User activity. For example, CONN, RESP, VISIT, GET etc

vers

The version of alproto

cipher

The encryption algorithm.

md5

md5/hash of ja3 fingerprint

campaign

IOC campaign

hostname

The hostname

url

The URL visited

IPS attack

date="2022-02-10" time="19:16:56" tz="PST" logid="0604000001" devid="FAI35FT321000001" type="ndr" subtype="IPS attack" severity="low" sessionid=9237954 alproto="OTHER" tlproto="UDP" srcip="172.19.236.145" srcport=57325 dstip="194.69.172.33" dstport=53 behavior="CONN" vname="DNS.Amplification.Detection" vulntype="Anomaly" 

date="2022-02-10" time="18:32:54" tz="PST" logid="0604000001" devid="FAI35FT321000001" type="ndr" subtype="IPS attack" severity="medium" sessionid=9092973 alproto="OTHER" tlproto="ICMP" srcip="172.19.235.62" srcport=0 dstip="172.19.236.50" dstport=771 behavior="CONN" vname="BlackNurse.ICMP.Type.3.Code.3.Flood.DoS" vulntype="DoS"
Fields

behavior

User activity. For example, CONN, RESP, VISIT, GET etc.

vname

The virus name

vulntype

Vulnerability type

Weak cipher

date="2022-02-07" time="14:18:57" tz="PST" logid="0606000001" devid="FAIVMSTM21000033" type="ndr" subtype="Weak cipher" severity="medium" sessionid=569705 alproto="IMAP" tlproto="TCP" srcip="17.1.6.20" srcport=63310 dstip="18.2.1.114" dstport=443 behavior="CONN" vers="2" cipher="TLS_NULL_WITH_NULL_NULL" ciphername="weak cipher"

date="2022-02-07" time="14:18:57" tz="PST" logid="0606000001" devid="FAIVMSTM21000033" type="ndr" subtype="Weak cipher" severity="medium" sessionid=570387 alproto="SMB" tlproto="TCP" srcip="17.2.12.171" srcport=10001 dstip="17.1.1.119" dstport=443 behavior="CONN" vers="1" cipher="TLS_RSA_WITH_AES_256_GCM_SHA384" md5="9a157673907688965992b40304f50a1e"  ciphername="weak version"
Fields

behavior

User activity. For example, CONN, RESP, VISIT, GET etc. str

vers

The version of alproto

cipher

The encryption algorithm.

md5

md5/hash of ja3 fingerprint

ciphername

The type name of weak cipher or vulnerable protocols

ML

date="2022-02-18" time="15:54:39" tz="PST" logid="0608000001" devid="FAIVMSTM21000033" type="ndr" subtype="ML" severity="low" sessionid=1135774 alproto="DNS" tlproto="TCP" srcip="17.1.10.185" srcport=35546 dstip="17.1.1.119" dstport=389 reasons="Device IP,Device MAC address,Session packet size,Transport layer protocol,Application layer protocol,Source port number,TLS version,Id of nta_dev_ip,Protocol or application behaviors or action"
Fields

reasons

A list of reasons leading to a ML anomaly detection, separated by a comma.

Common Fields

date

The date the log was sent in the format xxxx-xx-xx

time

The time the log was sent in the format hh:mm:ss

tz

System timezone

logid

The ID generated by log type and log subtype

devid

Device serial number

type

ndr, str (fixed)

subtype

The anomaly type by category

severity

The severity of the traffic, defined by NDR

sessionid

The session ID referring to NDR LOG in FortiNDR

alproto

Application layer protocols

tlproto

Transport layer protocols

srcip

Source IP

srcport

Source port

dstip

Destination IP

dstport

Destination port
Previous
Next

NDR logs samples

Botnet

date="2022-02-09" time="16:43:13" tz="PST" logid="0602000001" devid="FAIVMSTM21000033" type="ndr" subtype="Botnet" severity="high" sessionid=63313 alproto="DNS" tlproto="UDP" srcip="18.1.2.2" srcport=10000 dstip="18.1.1.100" dstport=53 behavior="CONN" botname="botnet Andromeda" hostname="orrisbirth.com"

date="2022-02-09" time="16:43:13" tz="PST" logid="0602000001" devid="FAIVMSTM21000033" type="ndr" subtype="Botnet" severity="high" sessionid=63313 alproto="DNS" tlproto="UDP" srcip="18.1.2.2" srcport=10000 dstip="18.1.1.100" dstport=53 behavior="RESP" botname="botnet Other"  hostname="cdn12-web-security.com"
Fields

behavior

User activity. For example, CONN, RESP, VISIT, GET etc.

botname

The name for this botnet

hostname

Hostname

Encrypted

date="2022-02-11" time="10:19:03" tz="PST" logid="0603000001" devid="FAI35FT321000001" type="ndr" subtype="Encrypted" severity="critical" sessionid=11554817 alproto="TLS" tlproto="TCP" srcip="172.19.236.140" srcport=5326 dstip="173.245.59.98" dstport=443 behavior="CONN" vers="7" cipher="TLS_AES_256_GCM_SHA384" md5="f436b9416f37d134cadd04886327d3e8"
Fields

behavior

User activity, e.g. CONN, RESP, VISIT, GET etc.

vers

The version of alproto, str

cipher

The encryption algorithm.

md5

md5/hash of ja3 fingerprint

IOC

date="2022-02-14" time="07:36:13" tz="PST" logid="0605000001" devid="FAI35FT321000001" type="ndr" subtype="IOC" severity="critical" sessionid=19906026 alproto="HTTP" tlproto="TCP" srcip="172.19.235.198" srcport=49304 dstip="178.63.120.205" dstport=443 behavior="CONN" vers="7" cipher="TLS_AES_128_GCM_SHA256" md5="52bea59cf17d9fd5dedd2835fd8e1afe" campaign="CoinMiner" hostname="s3.amazonaws.com" url="/"
Fields

behavior

User activity. For example, CONN, RESP, VISIT, GET etc

vers

The version of alproto

cipher

The encryption algorithm.

md5

md5/hash of ja3 fingerprint

campaign

IOC campaign

hostname

The hostname

url

The URL visited

IPS attack

date="2022-02-10" time="19:16:56" tz="PST" logid="0604000001" devid="FAI35FT321000001" type="ndr" subtype="IPS attack" severity="low" sessionid=9237954 alproto="OTHER" tlproto="UDP" srcip="172.19.236.145" srcport=57325 dstip="194.69.172.33" dstport=53 behavior="CONN" vname="DNS.Amplification.Detection" vulntype="Anomaly" 

date="2022-02-10" time="18:32:54" tz="PST" logid="0604000001" devid="FAI35FT321000001" type="ndr" subtype="IPS attack" severity="medium" sessionid=9092973 alproto="OTHER" tlproto="ICMP" srcip="172.19.235.62" srcport=0 dstip="172.19.236.50" dstport=771 behavior="CONN" vname="BlackNurse.ICMP.Type.3.Code.3.Flood.DoS" vulntype="DoS"
Fields

behavior

User activity. For example, CONN, RESP, VISIT, GET etc.

vname

The virus name

vulntype

Vulnerability type

Weak cipher

date="2022-02-07" time="14:18:57" tz="PST" logid="0606000001" devid="FAIVMSTM21000033" type="ndr" subtype="Weak cipher" severity="medium" sessionid=569705 alproto="IMAP" tlproto="TCP" srcip="17.1.6.20" srcport=63310 dstip="18.2.1.114" dstport=443 behavior="CONN" vers="2" cipher="TLS_NULL_WITH_NULL_NULL" ciphername="weak cipher"

date="2022-02-07" time="14:18:57" tz="PST" logid="0606000001" devid="FAIVMSTM21000033" type="ndr" subtype="Weak cipher" severity="medium" sessionid=570387 alproto="SMB" tlproto="TCP" srcip="17.2.12.171" srcport=10001 dstip="17.1.1.119" dstport=443 behavior="CONN" vers="1" cipher="TLS_RSA_WITH_AES_256_GCM_SHA384" md5="9a157673907688965992b40304f50a1e"  ciphername="weak version"
Fields

behavior

User activity. For example, CONN, RESP, VISIT, GET etc. str

vers

The version of alproto

cipher

The encryption algorithm.

md5

md5/hash of ja3 fingerprint

ciphername

The type name of weak cipher or vulnerable protocols

ML

date="2022-02-18" time="15:54:39" tz="PST" logid="0608000001" devid="FAIVMSTM21000033" type="ndr" subtype="ML" severity="low" sessionid=1135774 alproto="DNS" tlproto="TCP" srcip="17.1.10.185" srcport=35546 dstip="17.1.1.119" dstport=389 reasons="Device IP,Device MAC address,Session packet size,Transport layer protocol,Application layer protocol,Source port number,TLS version,Id of nta_dev_ip,Protocol or application behaviors or action"
Fields

reasons

A list of reasons leading to a ML anomaly detection, separated by a comma.

Common Fields

date

The date the log was sent in the format xxxx-xx-xx

time

The time the log was sent in the format hh:mm:ss

tz

System timezone

logid

The ID generated by log type and log subtype

devid

Device serial number

type

ndr, str (fixed)

subtype

The anomaly type by category

severity

The severity of the traffic, defined by NDR

sessionid

The session ID referring to NDR LOG in FortiNDR

alproto

Application layer protocols

tlproto

Transport layer protocols

srcip

Source IP

srcport

Source port

dstip

Destination IP

dstport

Destination port
Previous
Next